On 11/15/2012 03:10 PM, Simo Sorce wrote:
On Thu, 2012-11-15 at 12:41 +0100, Petr Vobornik wrote:
On 11/15/2012 11:54 AM, Tomas Babej wrote:
Hi,

This is server part of #3252.

When user from other realm than FreeIPA's tries to use Web UI
(login via forms-based auth or with valid trusted realm ticket),
the 401 Unauthorized error with X-Ipa-Rejection-Reason=denied
is returned.

Also, the support for usernames of the form user@SERVER.REALM
or user@server.realm was added.

https://fedorahosted.org/freeipa/ticket/3252

Tomas

+        # allows login in the form user@SERVER_REALM or FIXME:user@server_realm
The comment may not be clear for other people. I would be more verbose
about the FIXME.

+        parts = user.split("@")
+        if len(parts) > 1:
+            if parts[1].upper()==self.api.env.realm:
I don't think we wanted to do this hard-check of realm. Personally I'am
not against it because it's better to fail at login than at subsequent
command (which will happen). Anyway it should be commented.

+                user=parts[0]
+            else:
+                return self.unauthorized(environ, start_response, '', 'denied')
I think you should really fail only if you get failure connecting to
LDAP. Because we can easily allow logins by providing a mapping object
as part of SASL rules, we simply do not do it yet.

Simo.

Turns out if user from trusted realm logs in using WebUI form,
he sucessfully obtaines ticket, however, a ccache is created with
negative expiration time, because KRB5_CCache classes
uses server's realm in its methods.

Tomas
realm

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to